From f645ac6040b02d5799a3e788d42002ab20063f78 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 10 Jul 2012 01:05:03 +0100
Subject: [PATCH] dealing with variables in SQL procs - issue #33

---
 lib/core/common.py | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/core/common.py b/lib/core/common.py
index 4b8cf9ae7..1d5aeeb11 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -1567,11 +1567,20 @@ def getSQLSnippet(dbms, sfile, **variables):
     for _ in re.findall(r"%RANDINT\d+%", retVal, re.I):
         retVal = retVal.replace(_, randomInt())
 
-    _ = re.findall(r"%(\w+)%", retVal, re.I)
+    variables = re.findall(r"%(\w+)%", retVal, re.I)
 
-    if _:
-        errMsg = "unresolved variable%s '%s' in SQL file '%s'" % ("s" if len(_) > 1 else "", ", ".join(_), sfile)
-        raise sqlmapGenericException, errMsg
+    if variables:
+        errMsg = "unresolved variable%s '%s' in SQL file '%s'" % ("s" if len(variables) > 1 else "", ", ".join(variables), sfile)
+        logger.error(errMsg)
+
+        msg = "do you want to provide the substitution values? [y/N] "
+        choice = readInput(msg, default="N")
+
+        if choice and choice[0].lower() == "y":
+            for var in variables:
+                msg = "insert value for variable '%s': " % var
+                val = readInput(msg)
+                retVal = retVal.replace(r"%%%s%%" % var, val)
 
     return retVal